Intel Discloses Three More CPU Flaws
8/14/18: "Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61*1. Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software." Read More Details Here.

AMD Ryzen & Epyc Processors Affected with Security Vulnerabilities?
3/13/18: "A newly discovered set of vulnerabilities in AMD chips is making waves not because of the scale of the flaws, but rather the rushed, market-ready way in which they were disclosed by the researchers. When was the last time a bug had its own professionally shot video and PR rep, yet the company affected was only alerted 24 hours ahead of time? The flaws may be real, but the precedent set here is an unsavory one." [TechCrunch]

AMD's response: " We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops." [AMD]

GrandCrab ransomware tool
3/2/18: According to the article on ZDnet, "A GandCrab ransomware decryption tool has been released as part of the No More Ransom initiative, following a combined operation by Bitdefender, the Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol."

This latest ransomware is a "cybercrime-as-a-service" that gives profit sharing to the original authors but in order to use it, the criminal must agree to not attack Russian or Commonwealth states. 53,000+, worldwide, have already become a victim to this latest ransomware.. But you do not need to be as "the decryption tool is available for free from the No More Ransom portal and from Bitdefender."
[Source: ZDnet.]

Meltdown & Spectre
1/29/18: Microsoft issued an out-of-band update on the weekend that disables Intel's mitigation for CVE-2017-5715, or the Variant 2 Spectre attack described as a "branch target injection vulnerability". This update disables Intel's patch and is available for Windows 7 SP1, Windows 8.1, and all versions of Windows 10, for client and server. Not only was Intel's fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances. [Source: ZDnet]

1/24/18: Major PC Manufacturers [Dell, HP, or Lenovo] that released patches for their Intel-powered PC's, ".. chances are very good that the BIOS or UEFI firmware update you installed earlier this month is bad. If you flashed your BIOS or UEFI this month, you’ll almost undoubtedly have to flash it again just to get rid of the buggy code. Then you’ll have to upgrade the firmware once again, at a later time." [source: Computerworld]

1/23/18: Intel executive vice president Neil Shenoy said on Monday that the chip-maker has identified the source of some of the recent problems, so it is now recommended that users skip the available patches. "We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." Source: Intel

1/6/18: Kicking off 2018 with a bang, we get notice from a lot of sources that there are two new ways to exploit PCs running specific CPU types. The largest problem is "Meltdown" which affects INTEL CPU's yet Microsoft appears to be issuing a patch that fixes all CPU's of both exploits, and AMD CPU's are not affected by Meltdown so those systems will slow down. Thanks Microsoft!

Updating list of Patches.

Spectre and Meltdown explained

Petya (NotPetya) Ransomware
"In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya." [excerpt from BleepingComputer's security news.] There is a simple fix for all version's of Microsoft Windows PC's: download & run this vaccination batch file.

HowTo: Stop the global spread of the WannaDecrypt0r ransomware
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to - just as if it was looking up any website - and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

However, there are reports that some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain .. if this malware blocking trigger is to be effective," said Lauren Weinstein.

The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003] The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Read the full story on SlashDot

If you have ever been on a web page and seen strange characters in the text, usually it means the author is using a different text encoding - An example is that Agrisea uses Western - Look in your web browser (Text Encoding is under View in Firefox).

However, NeoSmart Technologies (an Agrisea technology partner) shows examples of the latest scam affecting the Chrome web browser:
Random characters on a grayed out web page with a white box showing the Chrome Logo and a font missing warning - Except it is all a scam - Do not download anything & close that page. An example:

If you had not heard, 2016 was an aggressive year for JavaScript email attachments that distributes malware, but with Google banning those types of attachments on 2/13/17, attackers are now switching to less suspicious file types to trick users.

According to Microsoft Malware Protection Center, a new wave of spam emails carries .LNK files inside ZIP archives. Those files had malicious PowerShell scripts attached to them. "You may think that you are protected from fileless malware because your PowerShell execution policies are set to 'Restricted' so that scripts can't run," the Intel Security researchers said in a blog post. "However, attackers can easily bypass these policies."

Another file type used to distribute malware is SVG (Scalable Vector Graphics). While many people correctly associate .SVG files with images, it's a little-known fact that such files can actually contain JavaScript. "Attackers use SVG files to execute JavaScript when users open what they believe to be images inside their browsers", wrote SANS Internet Storm Center.

There is a new ransomware circulating in the wild, Spora, which is very unlike anything else out there. Right now, it is targeting mostly Russians with an email invoice that comes from a well-known, to them, accounting program. If the message is opened, it is actually an .HTA which contains Javascript code that runs and encrypts that PC.

Other aspects of Spora also set it apart from other ransomware operations. For example, its creators have implemented a system that allows them to ask different ransoms for different types of victims.

All this points to Spora being a professional and well-funded operation. The ransom values observed so far are lower than those asked by other gangs, which could indicate the group behind this threat wants to establish itself quickly.

So far, researchers have seen Spora distributed via rogue email attachments that pose as invoices from an accounting software program popular in Russia and other Russian-speaking countries. The attachments are in the form of .HTA (HTML Application) files that contain malicious JavaScript code.

IF YOU GET INFECTED: there is nothing anyone can do for you at this time.

Read the full story at Computerworld

Super Mario Run, a mobile game by Nintendo, is currently only available to Apple iOS users - Android users must wait for their version yet third-party web sites already claim this app is available - Do Not Download It - This fake app is actually the "Marcher" Trojan Malware.

Only get your apps for Android from the Goggle Play Store, ignore web sites that claim anything else.

The Marcher app, when you install it, requires you to give administrative access, which means whomever is behind Marcher may monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
[Read more about it here.]

1) First thing you must know, keeping your accounts safe must be your top priority so if you get an email asking you for your login or password, delete it - No one you already do business with is going to ask you for that information. And if it is someone in your company wanting to know, walk over and ask them why they want it - They might be infected and not even know it.
2) If an email sounds like it is from one of your friends but seems to be slightly off, call them on your phone to ask, and don't click on links in that email. The email might be a phishing attempt by a spy and not the James Bond type either.
3) Seriously, change your password often (that means more than once a year) and don't use the same password for every place.

4) H.R. departments are coming under attack by fake job applications that arrive in email, usually with a PDF file attachment (like a cover letter) and also have a Microsoft Office something. When whatever it is, Excel, Word, etc. is opened, it says Macros must be enabled and if you do, Ransomware encrypts your computer... See Article 2 below for more.

The "bad guys" out there in cyberspace want to steal whatever they can get from you and where you work. And if they can get a virtual foot in the door on something you use, like your phone, it opens up your whole world that they can then exploit. Which means it will cost you, maybe money or identity theft or maybe something even worse.

SO, Next time Agrisea tells you to change your damn password, don't make a face - We are trying to keep you safer in an increasingly hostile world.

Read more about what is happening in these articles on ZDnet: 1 & 2.

A security alert on Javascript has been issued due to a nasty piece of software that can infect your computer and hold it hostage until you pay the ransom. This warning affects all PCs (Win, Mac, & Linux).

If you have been infected with the Bart ransomware, Bitdefender was able to create a decryption tool and credits collaboration with the Romanian Police and Europol for its success in creating the tool. Bart appeared in June 2016 and stood out because it locked victims' files inside ZIP archives encrypted with AES (Advanced Encryption Standard). Unlike other ransomware programs that used RSA public-key cryptography and relied on a command-and-control server to generate key pairs, Bart was able to encrypt files even in the absence of an internet connection.

[Trend Micro has some tools for recovering from a ransomware attack on Windows PCs. ESET can decrypt Crysis & Dharma ransomware. If you have been infected with the Globe or Globe2 ransomware, go to No More Ransom free decryption tool project. As usual, criminals developed a new version, Globe3, and here is that free decryptor. But wait, there are more software for helping you defeat, remove, decrypt, or otherwise test your systems/networks - Read the article at Computerworld.]

MBR-Protect For WIN PCs is a nifty piece of software that can be applied to a Win PC to protect it in advance from the Master Boot Record (MBR) ransomware. A ransomware that targets the MBR and appeared this year [2016] is called Satana. It doesn't not encrypt the MFT, but encrypts the original MBR code itself and replaces it with its own code which displays a ransom note.

Only Windows XP, 7, 8.0/8.1, & 10 are supported - Download the version for your operating system, 32bit or 64bit. Download page.

"MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers," the Cisco Talos researchers said in a blog post. "It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification."

The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don't benefit from it and remain vulnerable to MBR attacks.
Source: ComputerWorld

There is also a ransomware that uses Javascript to install itself, encrypt the PCs files and demand a "ransom" (generally in bitcoin) to unencrypt the files of the PC. And it gives you a countdown, which if ignored increases the "ransom" amount.

See an example of the screen of this latest ransomware "out in the wild":

Credit: Emsisoft

Here are directions for IE, Chrome, Safari, & Firefox. Please note that if you already use FireFox, all you need to do is install NoScript (search for it in Add-Ons), which by default blocks Javascript. So if you need Javascript on a web site you trust, click on Options and Allow that web site.

If you need more details, feel free to view the full story on ComputerWorld

If you are an Agrisea contracted client, your PCs will be modified during January's service. For all others, make sure you backup your PCs often -- If you are infected, be aware that nothing can remove this type of ransomware (at this time) and the only alternative is to wipe your storage media (Hard Drive or Solid State Drive) clean and reinstall everything.

Microsoft has been nagging people to upgrade to Windows 10 [W10] since it came out on 29 July 2015.. Now those nags have been replaced with Windows 10 actually on your PC and in Windows Update as an "Optional update". If you do not change the way updates are installed, you may end up with W10 anyway. [Read more about this 'aggressive' deployment on ZDnet.]

If you have noticed that your internet speed has been a bit slower than usual in the past month, there is a good chance that your Windows 7 or 8.0/8.1 PC now has the W10 software in a hidden directory on your hard drive (or SSD) and it is waiting to be installed.

There is a small piece of software [download it] that removes the nag as well as prevents W10 being installed. However, if you have already said "yes" to install W10 you may be out of luck. Read about the GWX Control Panel software here

If you decided to install W10 as an upgrade from Windows 7 or 8.0/8.1 during the free year, be aware that you only had 30 days to "roll-back" to your previous version of Windows. After 30 days, W10 removed your previous version of Windows and you are stuck now. Whatever license you started with is migrated to w10 so if you wipe your hard drive and reinstall your original operating system, you will need to buy a new license. And Windows 7 Licenses have become hard to get.

Agrisea has many commercial clients who have decided to not upgrade to W10 at this time. Microsoft's sneaky way of downloading 6GB's of data (W10) to each PC even though that PC's owner doesn't want to upgrade, is not acceptable - Most OnSite Contract Clients have already had the W10 block installed.

Last updated: August 16, 2018     Agrisea web site v.XX     Have a Question? Submit a Ticket